}
/**
- * Check if an active user with the given email exits in database
+ * Search for an active user with the given email exits in database
*
* Please note that email is case insensitive, result for searching 'mail@email.com' or 'Mail@Email.com' will be the same
*/
- public boolean doesEmailExist(DbSession dbSession, String email) {
- return mapper(dbSession).countByEmail(email.toLowerCase(Locale.ENGLISH)) > 0;
+ @CheckForNull
+ public UserDto selectByEmail(DbSession dbSession, String email) {
+ return mapper(dbSession).selectByEmail(email.toLowerCase(Locale.ENGLISH));
}
public void scrollByLogins(DbSession dbSession, Collection<String> logins, Consumer<UserDto> consumer) {
List<UserDto> selectByIds(@Param("ids") List<Integer> ids);
- void scrollAll(ResultHandler<UserDto> handler);
+ @CheckForNull
+ UserDto selectByEmail(String email);
- long countByEmail(String email);
+ void scrollAll(ResultHandler<UserDto> handler);
/**
* Count actives users which are root and which login is not the specified one.
ORDER BY u.name
</select>
- <select id="countByEmail" parameterType="String" resultType="long">
- SELECT count(1)
+ <select id="selectByEmail" parameterType="String" resultType="User">
+ SELECT
+ <include refid="userColumns"/>
FROM users u
- where lower(u.email)=#{email} AND u.active=${_true}
+ WHERE lower(u.email)=#{email, jdbcType=VARCHAR}
+ AND u.active=${_true}
</select>
<select id="countRootUsersButLogin" parameterType="String" resultType="long">
}
@Test
- public void exists_by_email() {
- UserDto activeUser = insertActiveUser();
- UserDto disableUser = insertUser(false);
+ public void select_by_email() {
+ UserDto activeUser = db.users().insertUser();
+ UserDto disableUser = db.users().insertUser(u -> u.setActive(false));
- assertThat(underTest.doesEmailExist(session, activeUser.getEmail())).isTrue();
- assertThat(underTest.doesEmailExist(session, disableUser.getEmail())).isFalse();
- assertThat(underTest.doesEmailExist(session, "unknown")).isFalse();
+ assertThat(underTest.selectByEmail(session, activeUser.getEmail())).isNotNull();
+ assertThat(underTest.selectByEmail(session, disableUser.getEmail())).isNull();
+ assertThat(underTest.selectByEmail(session, "unknown")).isNull();
}
@Test
*/
package org.sonar.server.authentication;
-import java.io.IOException;
-import java.io.UnsupportedEncodingException;
import javax.servlet.http.HttpServletResponse;
import org.sonar.api.utils.log.Logger;
import org.sonar.api.utils.log.Loggers;
import org.sonar.server.authentication.event.AuthenticationException;
import static java.lang.String.format;
-import static java.net.URLEncoder.encode;
-import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.sonar.server.authentication.AuthenticationRedirection.encodeMessage;
+import static org.sonar.server.authentication.AuthenticationRedirection.redirectTo;
final class AuthenticationError {
return contextPath + format(UNAUTHORIZED_PATH_WITH_MESSAGE, encodeMessage(publicMessage));
}
- private static String encodeMessage(String message) {
- try {
- return encode(message, UTF_8.name());
- } catch (UnsupportedEncodingException e) {
- throw new IllegalStateException(format("Fail to encode %s", message), e);
- }
- }
-
public static void redirectToUnauthorized(HttpServletResponse response) {
redirectTo(response, UNAUTHORIZED_PATH);
}
- private static void redirectTo(HttpServletResponse response, String url) {
- try {
- response.sendRedirect(url);
- } catch (IOException e) {
- throw new IllegalStateException(format("Fail to redirect to %s", url), e);
- }
- }
}
JwtSerializer.class,
JwtHttpHandler.class,
JwtCsrfVerifier.class,
- OAuth2Redirection.class,
+ OAuth2AuthenticationParametersImpl.class,
LoginAction.class,
LogoutAction.class,
CredentialsAuthenticator.class,
--- /dev/null
+/*
+ * SonarQube
+ * Copyright (C) 2009-2018 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+
+package org.sonar.server.authentication;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import javax.servlet.http.HttpServletResponse;
+
+import static java.lang.String.format;
+import static java.net.URLEncoder.encode;
+import static java.nio.charset.StandardCharsets.UTF_8;
+
+class AuthenticationRedirection {
+
+ private AuthenticationRedirection() {
+ // Only static methods
+ }
+
+ static String encodeMessage(String message) {
+ try {
+ return encode(message, UTF_8.name());
+ } catch (UnsupportedEncodingException e) {
+ throw new IllegalStateException(format("Fail to encode %s", message), e);
+ }
+ }
+
+ static void redirectTo(HttpServletResponse response, String url) {
+ try {
+ response.sendRedirect(url);
+ } catch (IOException e) {
+ throw new IllegalStateException(format("Fail to redirect to %s", url), e);
+ }
+ }
+}
import org.sonar.api.server.authentication.BaseIdentityProvider;
import org.sonar.api.server.authentication.UserIdentity;
import org.sonar.db.user.UserDto;
+import org.sonar.server.authentication.event.AuthenticationEvent.Source;
import org.sonar.server.user.ThreadLocalUserSession;
import org.sonar.server.user.UserSessionFactory;
-import static org.sonar.server.authentication.event.AuthenticationEvent.Source;
+import static org.sonar.server.authentication.UserIdentityAuthenticator.ExistingEmailStrategy.FORBID;
public class BaseContextFactory {
@Override
public void authenticate(UserIdentity userIdentity) {
- UserDto userDto = userIdentityAuthenticator.authenticate(userIdentity, identityProvider, Source.external(identityProvider));
+ UserDto userDto = userIdentityAuthenticator.authenticate(userIdentity, identityProvider, Source.external(identityProvider), FORBID);
jwtHttpHandler.generateToken(userDto, request, response);
threadLocalUserSession.set(userSessionFactory.create(userDto));
}
import static com.google.common.base.Strings.isNullOrEmpty;
import static java.util.Objects.requireNonNull;
+/**
+ * Helper class to create a {@link javax.servlet.http.Cookie}.
+ *
+ * The {@link javax.servlet.http.Cookie#secure} will automatically be set.
+ */
public class Cookies {
private static final String HTTPS_HEADER = "X-Forwarded-Proto";
this.request = request;
}
+ /**
+ * Name of the cookie
+ */
public CookieBuilder setName(String name) {
this.name = requireNonNull(name);
return this;
}
+ /**
+ * Name of the cookie
+ */
public CookieBuilder setValue(@Nullable String value) {
this.value = value;
return this;
}
+ /**
+ * Sets the flag that controls if this cookie will be hidden from scripts on the client side.
+ */
public CookieBuilder setHttpOnly(boolean httpOnly) {
this.httpOnly = httpOnly;
return this;
}
+ /**
+ * Sets the maximum age of the cookie in seconds.
+ */
public CookieBuilder setExpiry(int expiry) {
this.expiry = expiry;
return this;
--- /dev/null
+/*
+ * SonarQube
+ * Copyright (C) 2009-2018 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+
+package org.sonar.server.authentication;
+
+import org.sonar.api.server.authentication.IdentityProvider;
+import org.sonar.api.server.authentication.UserIdentity;
+import org.sonar.db.user.UserDto;
+
+import static java.lang.String.format;
+import static org.sonar.server.authentication.AuthenticationRedirection.encodeMessage;
+
+/**
+ * This exception is used to redirect the user to a page explaining him that his email is already used by another account,
+ * and where he has the ability to authenticate by "steeling" this email.
+ */
+public class EmailAlreadyExistsException extends RuntimeException {
+
+ private static final String PATH = "/sessions/email_already_exists?email=%s&login=%s&provider=%s&existingLogin=%s&existingProvider=%s";
+
+ private final String email;
+ private final UserDto existingUser;
+ private final UserIdentity userIdentity;
+ private final IdentityProvider provider;
+
+ EmailAlreadyExistsException(String email, UserDto existingUser, UserIdentity userIdentity, IdentityProvider provider) {
+ this.email = email;
+ this.existingUser = existingUser;
+ this.userIdentity = userIdentity;
+ this.provider = provider;
+ }
+
+ public String getPath(String contextPath) {
+ return contextPath + format(PATH,
+ encodeMessage(email),
+ encodeMessage(userIdentity.getProviderLogin()),
+ encodeMessage(provider.getKey()),
+ encodeMessage(existingUser.getExternalIdentity()),
+ encodeMessage(existingUser.getExternalIdentityProvider()));
+ }
+}
import static java.lang.String.format;
import static org.sonar.server.authentication.AuthenticationError.handleAuthenticationError;
import static org.sonar.server.authentication.AuthenticationError.handleError;
+import static org.sonar.server.authentication.AuthenticationRedirection.redirectTo;
import static org.sonar.server.authentication.event.AuthenticationEvent.Source;
public class InitFilter extends AuthenticationFilter {
private final BaseContextFactory baseContextFactory;
private final OAuth2ContextFactory oAuth2ContextFactory;
private final AuthenticationEvent authenticationEvent;
- private final OAuth2Redirection oAuthRedirection;
+ private final OAuth2AuthenticationParameters oAuthOAuth2AuthenticationParameters;
public InitFilter(IdentityProviderRepository identityProviderRepository, BaseContextFactory baseContextFactory,
- OAuth2ContextFactory oAuth2ContextFactory, Server server, AuthenticationEvent authenticationEvent, OAuth2Redirection oAuthRedirection) {
+ OAuth2ContextFactory oAuth2ContextFactory, Server server, AuthenticationEvent authenticationEvent, OAuth2AuthenticationParameters oAuthOAuth2AuthenticationParameters) {
super(server, identityProviderRepository);
this.baseContextFactory = baseContextFactory;
this.oAuth2ContextFactory = oAuth2ContextFactory;
this.authenticationEvent = authenticationEvent;
- this.oAuthRedirection = oAuthRedirection;
+ this.oAuthOAuth2AuthenticationParameters = oAuthOAuth2AuthenticationParameters;
}
@Override
if (provider instanceof BaseIdentityProvider) {
handleBaseIdentityProvider(request, response, (BaseIdentityProvider) provider);
} else if (provider instanceof OAuth2IdentityProvider) {
+ oAuthOAuth2AuthenticationParameters.init(request, response);
handleOAuth2IdentityProvider(request, response, (OAuth2IdentityProvider) provider);
} else {
handleError(response, format("Unsupported IdentityProvider class: %s", provider.getClass()));
}
} catch (AuthenticationException e) {
- oAuthRedirection.delete(request, response);
+ oAuthOAuth2AuthenticationParameters.delete(request, response);
authenticationEvent.loginFailure(request, e);
handleAuthenticationError(e, response, getContextPath());
+ } catch (EmailAlreadyExistsException e) {
+ oAuthOAuth2AuthenticationParameters.delete(request, response);
+ redirectTo(response, e.getPath(getContextPath()));
} catch (Exception e) {
- oAuthRedirection.delete(request, response);
+ oAuthOAuth2AuthenticationParameters.delete(request, response);
handleError(e, response, format("Fail to initialize authentication with provider '%s'", provider.getKey()));
}
}
private void handleOAuth2IdentityProvider(HttpServletRequest request, HttpServletResponse response, OAuth2IdentityProvider provider) {
try {
- oAuthRedirection.create(request, response);
provider.init(oAuth2ContextFactory.newContext(request, response, provider));
} catch (UnauthorizedException e) {
throw AuthenticationException.newBuilder()
--- /dev/null
+/*
+ * SonarQube
+ * Copyright (C) 2009-2018 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+package org.sonar.server.authentication;
+
+import java.util.Optional;
+import javax.servlet.FilterConfig;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.sonar.api.server.authentication.OAuth2IdentityProvider;
+
+/**
+ * This class is used to store some parameters during the OAuth2 authentication process, by using a cookie.
+ *
+ * Parameters are read from the request during {@link InitFilter#init(FilterConfig)}
+ * and reset when {@link OAuth2IdentityProvider.CallbackContext#redirectToRequestedPage()} is called.
+ */
+public interface OAuth2AuthenticationParameters {
+
+ void init(HttpServletRequest request, HttpServletResponse response);
+
+ Optional<String> getReturnTo(HttpServletRequest request);
+
+ Optional<Boolean> getAllowEmailShift(HttpServletRequest request);
+
+ void delete(HttpServletRequest request, HttpServletResponse response);
+
+}
--- /dev/null
+/*
+ * SonarQube
+ * Copyright (C) 2009-2018 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+
+package org.sonar.server.authentication;
+
+import com.google.common.reflect.TypeToken;
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import java.io.UnsupportedEncodingException;
+import java.lang.reflect.Type;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Optional;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import static java.net.URLDecoder.decode;
+import static java.net.URLEncoder.encode;
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static org.apache.commons.lang.StringUtils.isNotBlank;
+import static org.sonar.server.authentication.Cookies.findCookie;
+import static org.sonar.server.authentication.Cookies.newCookieBuilder;
+
+public class OAuth2AuthenticationParametersImpl implements OAuth2AuthenticationParameters {
+
+ private static final String AUTHENTICATION_COOKIE_NAME = "AUTH-PARAMS";
+ private static final int FIVE_MINUTES_IN_SECONDS = 5 * 60;
+
+ /**
+ * The HTTP parameter that contains the path where the user should be redirect to.
+ * Please note that the web context is included.
+ */
+ private static final String RETURN_TO_PARAMETER = "return_to";
+
+ /**
+ * This parameter is used to allow the shift of email from an existing user to the authenticating user
+ */
+ private static final String ALLOW_EMAIL_SHIFT_PARAMETER = "allowEmailShift";
+
+ private static final Type JSON_MAP_TYPE = new TypeToken<HashMap<String, String>>() {
+ }.getType();
+
+ @Override
+ public void init(HttpServletRequest request, HttpServletResponse response) {
+ String returnTo = request.getParameter(RETURN_TO_PARAMETER);
+ String allowEmailShift = request.getParameter(ALLOW_EMAIL_SHIFT_PARAMETER);
+ Map<String, String> parameters = new HashMap<>();
+ if (isNotBlank(returnTo)) {
+ parameters.put(RETURN_TO_PARAMETER, returnTo);
+ }
+ if (isNotBlank(allowEmailShift)) {
+ parameters.put(ALLOW_EMAIL_SHIFT_PARAMETER, allowEmailShift);
+ }
+ if (parameters.isEmpty()) {
+ return;
+ }
+ response.addCookie(newCookieBuilder(request)
+ .setName(AUTHENTICATION_COOKIE_NAME)
+ .setValue(toJson(parameters))
+ .setHttpOnly(true)
+ .setExpiry(FIVE_MINUTES_IN_SECONDS)
+ .build());
+ }
+
+ @Override
+ public Optional<String> getReturnTo(HttpServletRequest request) {
+ return getParameter(request, RETURN_TO_PARAMETER);
+ }
+
+ @Override
+ public Optional<Boolean> getAllowEmailShift(HttpServletRequest request) {
+ Optional<String> parameter = getParameter(request, ALLOW_EMAIL_SHIFT_PARAMETER);
+ return parameter.map(Boolean::parseBoolean);
+ }
+
+ private static Optional<String> getParameter(HttpServletRequest request, String parameterKey) {
+ Optional<javax.servlet.http.Cookie> cookie = findCookie(AUTHENTICATION_COOKIE_NAME, request);
+ if (!cookie.isPresent()) {
+ return Optional.empty();
+ }
+
+ Map<String, String> parameters = fromJson(cookie.get().getValue());
+ if (parameters.isEmpty()) {
+ return Optional.empty();
+ }
+ return Optional.ofNullable(parameters.get(parameterKey));
+ }
+
+ @Override
+ public void delete(HttpServletRequest request, HttpServletResponse response) {
+ response.addCookie(newCookieBuilder(request)
+ .setName(AUTHENTICATION_COOKIE_NAME)
+ .setValue(null)
+ .setHttpOnly(true)
+ .setExpiry(0)
+ .build());
+ }
+
+ private static String toJson(Map<String, String> map) {
+ Gson gson = new GsonBuilder().create();
+ try {
+ return encode(gson.toJson(map), UTF_8.name());
+ } catch (UnsupportedEncodingException e) {
+ throw new IllegalStateException(e);
+ }
+ }
+
+ private static Map<String, String> fromJson(String json) {
+ Gson gson = new GsonBuilder().create();
+ try {
+ return gson.fromJson(decode(json, UTF_8.name()), JSON_MAP_TYPE);
+ } catch (UnsupportedEncodingException e) {
+ throw new IllegalStateException(e);
+ }
+ }
+}
import static java.lang.String.format;
import static org.sonar.server.authentication.AuthenticationError.handleAuthenticationError;
import static org.sonar.server.authentication.AuthenticationError.handleError;
+import static org.sonar.server.authentication.AuthenticationRedirection.redirectTo;
import static org.sonar.server.authentication.event.AuthenticationEvent.Source;
public class OAuth2CallbackFilter extends AuthenticationFilter {
private final OAuth2ContextFactory oAuth2ContextFactory;
private final AuthenticationEvent authenticationEvent;
- private final OAuth2Redirection oAuthRedirection;
+ private final OAuth2AuthenticationParameters oauth2Parameters;
public OAuth2CallbackFilter(IdentityProviderRepository identityProviderRepository, OAuth2ContextFactory oAuth2ContextFactory,
- Server server, AuthenticationEvent authenticationEvent, OAuth2Redirection oAuthRedirection) {
+ Server server, AuthenticationEvent authenticationEvent, OAuth2AuthenticationParameters oauth2Parameters) {
super(server, identityProviderRepository);
this.oAuth2ContextFactory = oAuth2ContextFactory;
this.authenticationEvent = authenticationEvent;
- this.oAuthRedirection = oAuthRedirection;
+ this.oauth2Parameters = oauth2Parameters;
}
@Override
handleError(response, format("Not an OAuth2IdentityProvider: %s", provider.getClass()));
}
} catch (AuthenticationException e) {
- oAuthRedirection.delete(request, response);
+ oauth2Parameters.delete(request, response);
authenticationEvent.loginFailure(request, e);
handleAuthenticationError(e, response, getContextPath());
+ } catch (EmailAlreadyExistsException e) {
+ oauth2Parameters.delete(request, response);
+ redirectTo(response, e.getPath(getContextPath()));
} catch (Exception e) {
- oAuthRedirection.delete(request, response);
+ oauth2Parameters.delete(request, response);
handleError(e, response, format("Fail to callback authentication with '%s'", provider.getKey()));
}
}
import static java.lang.String.format;
import static org.sonar.server.authentication.OAuth2CallbackFilter.CALLBACK_PATH;
+import static org.sonar.server.authentication.UserIdentityAuthenticator.ExistingEmailStrategy.ALLOW;
+import static org.sonar.server.authentication.UserIdentityAuthenticator.ExistingEmailStrategy.WARN;
@ServerSide
public class OAuth2ContextFactory {
private final OAuthCsrfVerifier csrfVerifier;
private final JwtHttpHandler jwtHttpHandler;
private final UserSessionFactory userSessionFactory;
- private final OAuth2Redirection oAuthRedirection;
+ private final OAuth2AuthenticationParameters oAuthParameters;
public OAuth2ContextFactory(ThreadLocalUserSession threadLocalUserSession, UserIdentityAuthenticator userIdentityAuthenticator, Server server,
- OAuthCsrfVerifier csrfVerifier, JwtHttpHandler jwtHttpHandler, UserSessionFactory userSessionFactory, OAuth2Redirection oAuthRedirection) {
+ OAuthCsrfVerifier csrfVerifier, JwtHttpHandler jwtHttpHandler, UserSessionFactory userSessionFactory, OAuth2AuthenticationParameters oAuthParameters) {
this.threadLocalUserSession = threadLocalUserSession;
this.userIdentityAuthenticator = userIdentityAuthenticator;
this.server = server;
this.csrfVerifier = csrfVerifier;
this.jwtHttpHandler = jwtHttpHandler;
this.userSessionFactory = userSessionFactory;
- this.oAuthRedirection = oAuthRedirection;
+ this.oAuthParameters = oAuthParameters;
}
public OAuth2IdentityProvider.InitContext newContext(HttpServletRequest request, HttpServletResponse response, OAuth2IdentityProvider identityProvider) {
@Override
public void redirectToRequestedPage() {
try {
- Optional<String> redirectTo = oAuthRedirection.getAndDelete(request, response);
+ Optional<String> redirectTo = oAuthParameters.getReturnTo(request);
+ oAuthParameters.delete(request, response);
getResponse().sendRedirect(redirectTo.orElse(server.getContextPath() + "/"));
} catch (IOException e) {
- throw new IllegalStateException("Fail to redirect to home", e);
+ throw new IllegalStateException("Fail to redirect to requested page", e);
}
}
@Override
public void authenticate(UserIdentity userIdentity) {
- UserDto userDto = userIdentityAuthenticator.authenticate(userIdentity, identityProvider, AuthenticationEvent.Source.oauth2(identityProvider));
+ Boolean allowEmailShift = oAuthParameters.getAllowEmailShift(request).orElse(false);
+ UserDto userDto = userIdentityAuthenticator.authenticate(userIdentity, identityProvider, AuthenticationEvent.Source.oauth2(identityProvider), allowEmailShift ? ALLOW : WARN);
jwtHttpHandler.generateToken(userDto, request, response);
threadLocalUserSession.set(userSessionFactory.create(userDto));
}
+++ /dev/null
-/*
- * SonarQube
- * Copyright (C) 2009-2018 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- */
-package org.sonar.server.authentication;
-
-import java.util.Optional;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import static org.apache.commons.lang.StringUtils.isBlank;
-import static org.sonar.server.authentication.Cookies.findCookie;
-import static org.sonar.server.authentication.Cookies.newCookieBuilder;
-
-public class OAuth2Redirection {
-
- private static final String REDIRECT_TO_COOKIE = "REDIRECT_TO";
-
- /**
- * The HTTP parameter that contains the path where the user should be redirect to.
- * Please note that the web context is included.
- */
- private static final String RETURN_TO_PARAMETER = "return_to";
-
- public void create(HttpServletRequest request, HttpServletResponse response) {
- String redirectTo = request.getParameter(RETURN_TO_PARAMETER);
- if (isBlank(redirectTo)) {
- return;
- }
- response.addCookie(newCookieBuilder(request)
- .setName(REDIRECT_TO_COOKIE)
- .setValue(redirectTo)
- .setHttpOnly(true)
- .setExpiry(-1)
- .build());
- }
-
- public Optional<String> getAndDelete(HttpServletRequest request, HttpServletResponse response) {
- Optional<Cookie> cookie = findCookie(REDIRECT_TO_COOKIE, request);
- if (!cookie.isPresent()) {
- return Optional.empty();
- }
-
- delete(request, response);
-
- String redirectTo = cookie.get().getValue();
- if (isBlank(redirectTo)) {
- return Optional.empty();
- }
- return Optional.of(redirectTo);
- }
-
- public void delete(HttpServletRequest request, HttpServletResponse response) {
- response.addCookie(newCookieBuilder(request)
- .setName(REDIRECT_TO_COOKIE)
- .setValue(null)
- .setHttpOnly(true)
- .setExpiry(0)
- .build());
- }
-
-}
import static java.util.Objects.requireNonNull;
import static org.apache.commons.lang.StringUtils.isEmpty;
import static org.apache.commons.lang.StringUtils.trimToNull;
+import static org.sonar.server.authentication.UserIdentityAuthenticator.ExistingEmailStrategy.FORBID;
import static org.sonar.server.user.ExternalIdentity.SQ_AUTHORITY;
public class RealmAuthenticator implements Startable {
Collection<String> groups = externalGroupsProvider.doGetGroups(context);
userIdentityBuilder.setGroups(new HashSet<>(groups));
}
- return userIdentityAuthenticator.authenticate(userIdentityBuilder.build(), new ExternalIdentityProvider(), realmEventSource(method));
+ return userIdentityAuthenticator.authenticate(userIdentityBuilder.build(), new ExternalIdentityProvider(), realmEventSource(method), FORBID);
}
private String getLogin(String userLogin) {
import static org.sonar.process.ProcessProperties.Property.SONAR_WEB_SSO_LOGIN_HEADER;
import static org.sonar.process.ProcessProperties.Property.SONAR_WEB_SSO_NAME_HEADER;
import static org.sonar.process.ProcessProperties.Property.SONAR_WEB_SSO_REFRESH_INTERVAL_IN_MINUTES;
+import static org.sonar.server.authentication.UserIdentityAuthenticator.ExistingEmailStrategy.FORBID;
import static org.sonar.server.user.ExternalIdentity.SQ_AUTHORITY;
public class SsoAuthenticator implements Startable {
String groupsValue = getHeaderValue(headerValuesByNames, SONAR_WEB_SSO_GROUPS_HEADER.getKey());
userIdentityBuilder.setGroups(groupsValue == null ? Collections.emptySet() : new HashSet<>(COMA_SPLITTER.splitToList(groupsValue)));
}
- return userIdentityAuthenticator.authenticate(userIdentityBuilder.build(), new SsoIdentityProvider(), Source.sso());
+ return userIdentityAuthenticator.authenticate(userIdentityBuilder.build(), new SsoIdentityProvider(), Source.sso(), FORBID);
}
@CheckForNull
public class UserIdentityAuthenticator {
+ /**
+ * Strategy to be executed when the email of the user is already used by another user
+ */
+ enum ExistingEmailStrategy {
+ /**
+ * Authentication is allowed, the email is moved from other user to current user
+ */
+ ALLOW,
+ /**
+ * Authentication process is stopped, the user is redirected to a page explaining that the email is already used
+ */
+ WARN,
+ /**
+ * Forbid authentication of the user
+ */
+ FORBID
+ }
+
private static final Logger LOGGER = Loggers.get(UserIdentityAuthenticator.class);
private final DbClient dbClient;
this.defaultGroupFinder = defaultGroupFinder;
}
- public UserDto authenticate(UserIdentity user, IdentityProvider provider, AuthenticationEvent.Source source) {
- return register(user, provider, source);
- }
-
- private UserDto register(UserIdentity user, IdentityProvider provider, AuthenticationEvent.Source source) {
+ public UserDto authenticate(UserIdentity user, IdentityProvider provider, AuthenticationEvent.Source source, ExistingEmailStrategy existingEmailStrategy) {
try (DbSession dbSession = dbClient.openSession(false)) {
String userLogin = user.getLogin();
UserDto userDto = dbClient.userDao().selectByLogin(dbSession, userLogin);
if (userDto != null && userDto.isActive()) {
- registerExistingUser(dbSession, userDto, user, provider);
+ registerExistingUser(dbSession, userDto, user, provider, source, existingEmailStrategy);
return userDto;
}
- return registerNewUser(dbSession, user, provider, source);
+ return registerNewUser(dbSession, user, provider, source, existingEmailStrategy);
}
}
- private UserDto registerNewUser(DbSession dbSession, UserIdentity identity, IdentityProvider provider, AuthenticationEvent.Source source) {
+ private void registerExistingUser(DbSession dbSession, UserDto userDto, UserIdentity identity, IdentityProvider provider, AuthenticationEvent.Source source,
+ ExistingEmailStrategy existingEmailStrategy) {
+ UpdateUser update = UpdateUser.create(userDto.getLogin())
+ .setEmail(identity.getEmail())
+ .setName(identity.getName())
+ .setExternalIdentity(new ExternalIdentity(provider.getKey(), identity.getProviderLogin()));
+ Optional<UserDto> otherUserToIndex = validateEmail(dbSession, identity, provider, source, existingEmailStrategy);
+ userUpdater.updateAndCommit(dbSession, update, u -> syncGroups(dbSession, identity, u), toArray(otherUserToIndex));
+ }
+
+ private UserDto registerNewUser(DbSession dbSession, UserIdentity identity, IdentityProvider provider, AuthenticationEvent.Source source,
+ ExistingEmailStrategy existingEmailStrategy) {
if (!provider.allowsUsersToSignUp()) {
throw AuthenticationException.newBuilder()
.setSource(source)
.setPublicMessage(format("'%s' users are not allowed to sign up", provider.getKey()))
.build();
}
-
- String email = identity.getEmail();
- if (email != null && dbClient.userDao().doesEmailExist(dbSession, email)) {
- throw AuthenticationException.newBuilder()
- .setSource(source)
- .setLogin(identity.getLogin())
- .setMessage(format("Email '%s' is already used", email))
- .setPublicMessage(format(
- "You can't sign up because email '%s' is already used by an existing user. This means that you probably already registered with another account.",
- email))
- .build();
- }
-
- String userLogin = identity.getLogin();
+ Optional<UserDto> otherUserToIndex = validateEmail(dbSession, identity, provider, source, existingEmailStrategy);
return userUpdater.createAndCommit(dbSession, NewUser.builder()
- .setLogin(userLogin)
+ .setLogin(identity.getLogin())
.setEmail(identity.getEmail())
.setName(identity.getName())
.setExternalIdentity(new ExternalIdentity(provider.getKey(), identity.getProviderLogin()))
- .build(), u -> syncGroups(dbSession, identity, u));
+ .build(),
+ u -> syncGroups(dbSession, identity, u),
+ toArray(otherUserToIndex));
}
- private void registerExistingUser(DbSession dbSession, UserDto userDto, UserIdentity identity, IdentityProvider provider) {
- UpdateUser update = UpdateUser.create(userDto.getLogin())
- .setEmail(identity.getEmail())
- .setName(identity.getName())
- .setExternalIdentity(new ExternalIdentity(provider.getKey(), identity.getProviderLogin()));
- userUpdater.updateAndCommit(dbSession, update, u -> syncGroups(dbSession, identity, u));
+ private Optional<UserDto> validateEmail(DbSession dbSession, UserIdentity identity, IdentityProvider provider, AuthenticationEvent.Source source,
+ ExistingEmailStrategy existingEmailStrategy) {
+ String email = identity.getEmail();
+ if (email == null) {
+ return Optional.empty();
+ }
+ UserDto existingUser = dbClient.userDao().selectByEmail(dbSession, email);
+ if (existingUser == null || existingUser.getLogin().equals(identity.getLogin())) {
+ return Optional.empty();
+ }
+ switch (existingEmailStrategy) {
+ case ALLOW:
+ existingUser.setEmail(null);
+ dbClient.userDao().update(dbSession, existingUser);
+ return Optional.of(existingUser);
+ case WARN:
+ throw new EmailAlreadyExistsException(email, existingUser, identity, provider);
+ case FORBID:
+ throw AuthenticationException.newBuilder()
+ .setSource(source)
+ .setLogin(identity.getLogin())
+ .setMessage(format("Email '%s' is already used", email))
+ .setPublicMessage(format(
+ "You can't sign up because email '%s' is already used by an existing user. This means that you probably already registered with another account.",
+ email))
+ .build();
+ default:
+ throw new IllegalStateException(format("Unknown strategy %s", existingEmailStrategy));
+ }
}
private void syncGroups(DbSession dbSession, UserIdentity userIdentity, UserDto userDto) {
return organizationFlags.isEnabled(dbSession) ? Optional.empty() : Optional.of(defaultGroupFinder.findDefaultGroup(dbSession, defaultOrganizationProvider.get().getUuid()));
}
+ private static UserDto[] toArray(Optional<UserDto> userDto) {
+ return userDto.map(u -> new UserDto[]{u}).orElse(new UserDto[]{});
+ }
+
}
import java.util.Objects;
import java.util.Random;
import java.util.function.Consumer;
+import java.util.stream.Stream;
import javax.annotation.Nullable;
import org.apache.commons.codec.digest.DigestUtils;
import org.sonar.api.config.Configuration;
import static com.google.common.base.Strings.isNullOrEmpty;
import static com.google.common.collect.Lists.newArrayList;
import static java.lang.String.format;
+import static java.util.Arrays.stream;
+import static java.util.stream.Stream.concat;
import static org.sonar.core.config.CorePropertyDefinitions.ONBOARDING_TUTORIAL_SHOW_TO_NEW_USERS;
import static org.sonar.core.util.stream.MoreCollectors.toList;
import static org.sonar.db.user.UserDto.encryptPassword;
this.config = config;
}
- public UserDto createAndCommit(DbSession dbSession, NewUser newUser, Consumer<UserDto> beforeCommit) {
+ public UserDto createAndCommit(DbSession dbSession, NewUser newUser, Consumer<UserDto> beforeCommit, UserDto... otherUsersToIndex) {
String login = newUser.login();
UserDto userDto = dbClient.userDao().selectByLogin(dbSession, newUser.login());
if (userDto == null) {
reactivateUser(dbSession, userDto, login, newUser);
}
beforeCommit.accept(userDto);
- userIndexer.commitAndIndex(dbSession, userDto);
+ userIndexer.commitAndIndex(dbSession, concat(Stream.of(userDto), stream(otherUsersToIndex)).collect(toList()));
notifyNewUser(userDto.getLogin(), userDto.getName(), newUser.email());
return userDto;
addUserToDefaultOrganizationAndDefaultGroup(dbSession, existingUser);
}
- public void updateAndCommit(DbSession dbSession, UpdateUser updateUser, Consumer<UserDto> beforeCommit) {
+ public void updateAndCommit(DbSession dbSession, UpdateUser updateUser, Consumer<UserDto> beforeCommit, UserDto... otherUsersToIndex) {
UserDto dto = dbClient.userDao().selectByLogin(dbSession, updateUser.login());
checkFound(dto, "User with login '%s' has not been found", updateUser.login());
boolean isUserUpdated = updateDto(dbSession, updateUser, dto);
// at least one change. Database must be updated and Elasticsearch re-indexed
updateUser(dbSession, dto);
beforeCommit.accept(dto);
- userIndexer.commitAndIndex(dbSession, dto);
+ userIndexer.commitAndIndex(dbSession, concat(Stream.of(dto), stream(otherUsersToIndex)).collect(toList()));
notifyNewUser(dto.getLogin(), dto.getName(), dto.getEmail());
} else {
// no changes but still execute the consumer
import org.sonar.api.server.authentication.BaseIdentityProvider;
import org.sonar.api.server.authentication.UserIdentity;
import org.sonar.api.utils.System2;
-import org.sonar.db.DbClient;
-import org.sonar.db.DbSession;
import org.sonar.db.DbTester;
import org.sonar.db.user.UserDto;
-import org.sonar.server.authentication.event.AuthenticationEvent;
+import org.sonar.server.authentication.event.AuthenticationEvent.Source;
import org.sonar.server.user.TestUserSessionFactory;
import org.sonar.server.user.ThreadLocalUserSession;
import org.sonar.server.user.UserSession;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
-import static org.sonar.db.user.UserTesting.newUserDto;
+import static org.sonar.server.authentication.UserIdentityAuthenticator.ExistingEmailStrategy.FORBID;
public class BaseContextFactoryTest {
@Rule
public DbTester dbTester = DbTester.create(System2.INSTANCE);
- private DbClient dbClient = dbTester.getDbClient();
-
- private DbSession dbSession = dbTester.getSession();
-
private ThreadLocalUserSession threadLocalUserSession = mock(ThreadLocalUserSession.class);
private UserIdentityAuthenticator userIdentityAuthenticator = mock(UserIdentityAuthenticator.class);
@Before
public void setUp() throws Exception {
when(server.getPublicRootUrl()).thenReturn(PUBLIC_ROOT_URL);
-
- UserDto userDto = dbClient.userDao().insert(dbSession, newUserDto());
- dbSession.commit();
when(identityProvider.getName()).thenReturn("provIdeur Nameuh");
- when(userIdentityAuthenticator.authenticate(USER_IDENTITY, identityProvider, AuthenticationEvent.Source.external(identityProvider))).thenReturn(userDto);
+ when(request.getSession()).thenReturn(mock(HttpSession.class));
}
@Test
@Test
public void authenticate() {
+ UserDto userDto = dbTester.users().insertUser();
+ when(userIdentityAuthenticator.authenticate(USER_IDENTITY, identityProvider, Source.external(identityProvider), FORBID)).thenReturn(userDto);
BaseIdentityProvider.Context context = underTest.newContext(request, response, identityProvider);
- HttpSession session = mock(HttpSession.class);
- when(request.getSession()).thenReturn(session);
context.authenticate(USER_IDENTITY);
- verify(userIdentityAuthenticator).authenticate(USER_IDENTITY, identityProvider, AuthenticationEvent.Source.external(identityProvider));
+
+ verify(userIdentityAuthenticator).authenticate(USER_IDENTITY, identityProvider, Source.external(identityProvider), FORBID);
verify(jwtHttpHandler).generateToken(any(UserDto.class), eq(request), eq(response));
verify(threadLocalUserSession).set(any(UserSession.class));
}
+
}
import org.sonar.api.server.authentication.IdentityProvider;
import org.sonar.api.server.authentication.OAuth2IdentityProvider;
import org.sonar.api.server.authentication.UnauthorizedException;
+import org.sonar.api.server.authentication.UserIdentity;
import org.sonar.api.utils.log.LogTester;
import org.sonar.api.utils.log.LoggerLevel;
+import org.sonar.db.user.UserDto;
import org.sonar.server.authentication.event.AuthenticationEvent;
import org.sonar.server.authentication.event.AuthenticationException;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.Matchers.eq;
import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyZeroInteractions;
import static org.mockito.Mockito.when;
+import static org.sonar.db.user.UserTesting.newUserDto;
public class InitFilterTest {
private FakeBasicIdentityProvider baseIdentityProvider = new FakeBasicIdentityProvider(BASIC_PROVIDER_KEY, true);
private BaseIdentityProvider.Context baseContext = mock(BaseIdentityProvider.Context.class);
private AuthenticationEvent authenticationEvent = mock(AuthenticationEvent.class);
- private OAuth2Redirection oAuthRedirection = mock(OAuth2Redirection.class);
+ private OAuth2AuthenticationParameters auth2AuthenticationParameters = mock(OAuth2AuthenticationParameters.class);
private ArgumentCaptor<AuthenticationException> authenticationExceptionCaptor = ArgumentCaptor.forClass(AuthenticationException.class);
- private InitFilter underTest = new InitFilter(identityProviderRepository, baseContextFactory, oAuth2ContextFactory, server, authenticationEvent, oAuthRedirection);
+ private InitFilter underTest = new InitFilter(identityProviderRepository, baseContextFactory, oAuth2ContextFactory, server, authenticationEvent, auth2AuthenticationParameters);
@Before
public void setUp() throws Exception {
}
@Test
- public void do_filter_with_context() throws Exception {
+ public void do_filter_with_context() {
when(server.getContextPath()).thenReturn("/sonarqube");
when(request.getRequestURI()).thenReturn("/sonarqube/sessions/init/" + OAUTH2_PROVIDER_KEY);
identityProviderRepository.addIdentityProvider(oAuth2IdentityProvider);
assertOAuth2InitCalled();
verifyZeroInteractions(authenticationEvent);
- verify(oAuthRedirection).create(eq(request), eq(response));
}
@Test
- public void do_filter_on_auth2_identity_provider() throws Exception {
+ public void do_filter_on_auth2_identity_provider() {
when(request.getRequestURI()).thenReturn("/sessions/init/" + OAUTH2_PROVIDER_KEY);
identityProviderRepository.addIdentityProvider(oAuth2IdentityProvider);
assertOAuth2InitCalled();
verifyZeroInteractions(authenticationEvent);
- verify(oAuthRedirection).create(eq(request), eq(response));
}
@Test
- public void do_filter_on_basic_identity_provider() throws Exception {
+ public void do_filter_on_basic_identity_provider() {
when(request.getRequestURI()).thenReturn("/sessions/init/" + BASIC_PROVIDER_KEY);
identityProviderRepository.addIdentityProvider(baseIdentityProvider);
assertBasicInitCalled();
verifyZeroInteractions(authenticationEvent);
- verifyZeroInteractions(oAuthRedirection);
+ }
+
+ @Test
+ public void init_authentication_parameter_on_auth2_identity_provider() {
+ when(server.getContextPath()).thenReturn("/sonarqube");
+ when(request.getRequestURI()).thenReturn("/sonarqube/sessions/init/" + OAUTH2_PROVIDER_KEY);
+ identityProviderRepository.addIdentityProvider(oAuth2IdentityProvider);
+
+ underTest.doFilter(request, response, chain);
+
+ verify(auth2AuthenticationParameters).init(eq(request), eq(response));
+ }
+
+ @Test
+ public void does_not_init_authentication_parameter_on_basic_authentication() {
+ when(request.getRequestURI()).thenReturn("/sessions/init/" + BASIC_PROVIDER_KEY);
+ identityProviderRepository.addIdentityProvider(baseIdentityProvider);
+
+ underTest.doFilter(request, response, chain);
+
+ verify(auth2AuthenticationParameters, never()).init(eq(request), eq(response));
}
@Test
assertError("No provider key found in URI");
verifyZeroInteractions(authenticationEvent);
- verifyZeroInteractions(oAuthRedirection);
+ verifyZeroInteractions(auth2AuthenticationParameters);
}
@Test
assertError("No provider key found in URI");
verifyZeroInteractions(authenticationEvent);
- verifyZeroInteractions(oAuthRedirection);
+ verifyZeroInteractions(auth2AuthenticationParameters);
}
@Test
assertError("Unsupported IdentityProvider class: class org.sonar.server.authentication.InitFilterTest$UnsupportedIdentityProvider");
verifyZeroInteractions(authenticationEvent);
- verifyZeroInteractions(oAuthRedirection);
+ verifyZeroInteractions(auth2AuthenticationParameters);
}
@Test
assertThat(authenticationException.getSource()).isEqualTo(AuthenticationEvent.Source.external(identityProvider));
assertThat(authenticationException.getLogin()).isNull();
assertThat(authenticationException.getPublicMessage()).isEqualTo("Email john@email.com is already used");
- verifyDeleteRedirection();
+ verifyDeleteAuthCookie();
}
@Test
underTest.doFilter(request, response, chain);
verify(response).sendRedirect("/sonarqube/sessions/unauthorized?message=Email+john%40email.com+is+already+used");
- verifyDeleteRedirection();
+ verifyDeleteAuthCookie();
+ }
+
+ @Test
+ public void redirect_when_failing_because_of_EmailAlreadyExistException() throws Exception {
+ UserDto existingUser = newUserDto().setEmail("john@email.com").setExternalIdentity("john.bitbucket").setExternalIdentityProvider("bitbucket");
+ FailWithEmailAlreadyExistException identityProvider = new FailWithEmailAlreadyExistException("failing", existingUser);
+ when(request.getRequestURI()).thenReturn("/sessions/init/" + identityProvider.getKey());
+ identityProviderRepository.addIdentityProvider(identityProvider);
+
+ underTest.doFilter(request, response, chain);
+
+ verify(response).sendRedirect("/sessions/email_already_exists?email=john%40email.com&login=john.github&provider=failing&existingLogin=john.bitbucket&existingProvider=bitbucket");
+ verify(auth2AuthenticationParameters).delete(eq(request), eq(response));
}
@Test
verify(response).sendRedirect("/sessions/unauthorized");
assertThat(logTester.logs(LoggerLevel.ERROR)).containsExactlyInAnyOrder("Fail to initialize authentication with provider 'failing'");
- verifyDeleteRedirection();
+ verifyDeleteAuthCookie();
}
private void assertOAuth2InitCalled() {
assertThat(oAuth2IdentityProvider.isInitCalled()).isFalse();
}
- private void verifyDeleteRedirection() {
- verify(oAuthRedirection).delete(eq(request), eq(response));
+ private void verifyDeleteAuthCookie() {
+ verify(auth2AuthenticationParameters).delete(eq(request), eq(response));
}
private static class FailWithUnauthorizedExceptionIdProvider extends FakeBasicIdentityProvider {
}
}
+ private static class FailWithEmailAlreadyExistException extends FakeBasicIdentityProvider {
+
+ private final UserDto existingUser;
+
+ public FailWithEmailAlreadyExistException(String key, UserDto existingUser) {
+ super(key, true);
+ this.existingUser = existingUser;
+ }
+
+ @Override
+ public void init(Context context) {
+ throw new EmailAlreadyExistsException(existingUser.getEmail(), existingUser, UserIdentity.builder()
+ .setProviderLogin("john.github")
+ .setLogin("john.github")
+ .setName(existingUser.getName())
+ .setEmail(existingUser.getEmail())
+ .build(), this);
+ }
+ }
+
private static class UnsupportedIdentityProvider implements IdentityProvider {
private final String unsupportedKey;
--- /dev/null
+/*
+ * SonarQube
+ * Copyright (C) 2009-2018 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+package org.sonar.server.authentication;
+
+import java.util.Optional;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.ArgumentCaptor;
+import org.sonar.api.platform.Server;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+public class OAuth2AuthenticationParametersImplTest {
+
+ private static final String AUTHENTICATION_COOKIE_NAME = "AUTH-PARAMS";
+ private ArgumentCaptor<Cookie> cookieArgumentCaptor = ArgumentCaptor.forClass(Cookie.class);
+
+ private Server server = mock(Server.class);
+ private HttpServletResponse response = mock(HttpServletResponse.class);
+ private HttpServletRequest request = mock(HttpServletRequest.class);
+
+ private OAuth2AuthenticationParametersImpl underTest = new OAuth2AuthenticationParametersImpl();
+
+ @Before
+ public void setUp() throws Exception {
+ when(server.getContextPath()).thenReturn("");
+ }
+
+ @Test
+ public void init_create_cookie_containing_parameters_from_request() {
+ when(request.getParameter("return_to")).thenReturn("/settings");
+ when(request.getParameter("allowEmailShift")).thenReturn("true");
+
+ underTest.init(request, response);
+
+ verify(response).addCookie(cookieArgumentCaptor.capture());
+ Cookie cookie = cookieArgumentCaptor.getValue();
+ assertThat(cookie.getName()).isEqualTo(AUTHENTICATION_COOKIE_NAME);
+ assertThat(cookie.getValue()).isNotEmpty();
+ assertThat(cookie.getPath()).isEqualTo("/");
+ assertThat(cookie.isHttpOnly()).isTrue();
+ assertThat(cookie.getMaxAge()).isEqualTo(300);
+ assertThat(cookie.getSecure()).isFalse();
+ }
+
+ @Test
+ public void init_does_not_create_cookie_when_no_parameter() {
+ underTest.init(request, response);
+
+ verify(response, never()).addCookie(any(Cookie.class));
+ }
+
+ @Test
+ public void init_does_not_create_cookie_when_parameters_are_empty() {
+ when(request.getParameter("return_to")).thenReturn("");
+ when(request.getParameter("allowEmailShift")).thenReturn("");
+
+ underTest.init(request, response);
+
+ verify(response, never()).addCookie(any(Cookie.class));
+ }
+
+ @Test
+ public void init_does_not_create_cookie_when_parameters_are_null() {
+ when(request.getParameter("return_to")).thenReturn(null);
+ when(request.getParameter("allowEmailShift")).thenReturn(null);
+
+ underTest.init(request, response);
+
+ verify(response, never()).addCookie(any(Cookie.class));
+ }
+
+ @Test
+ public void get_return_to_parameter() {
+ when(request.getCookies()).thenReturn(new Cookie[] {new Cookie(AUTHENTICATION_COOKIE_NAME, "{\"return_to\":\"/settings\"}")});
+
+ Optional<String> redirection = underTest.getReturnTo(request);
+
+ assertThat(redirection).isNotEmpty();
+ assertThat(redirection.get()).isEqualTo("/settings");
+ }
+
+ @Test
+ public void get_return_to_is_empty_when_no_cookie() {
+ when(request.getCookies()).thenReturn(new Cookie[] {});
+
+ Optional<String> redirection = underTest.getReturnTo(request);
+
+ assertThat(redirection).isEmpty();
+ }
+
+ @Test
+ public void get_return_to_is_empty_when_no_value() {
+ when(request.getCookies()).thenReturn(new Cookie[] {new Cookie(AUTHENTICATION_COOKIE_NAME, "{}")});
+
+ Optional<String> redirection = underTest.getReturnTo(request);
+
+ assertThat(redirection).isEmpty();
+ }
+
+ @Test
+ public void get_allowEmailShift_parameter() {
+ when(request.getCookies()).thenReturn(new Cookie[] {new Cookie(AUTHENTICATION_COOKIE_NAME, "{\"allowEmailShift\":\"true\"}")});
+
+ Optional<Boolean> allowEmailShift = underTest.getAllowEmailShift(request);
+
+ assertThat(allowEmailShift).isNotEmpty();
+ assertThat(allowEmailShift.get()).isTrue();
+ }
+
+ @Test
+ public void get_allowEmailShift_is_empty_when_no_cookie() {
+ when(request.getCookies()).thenReturn(new Cookie[] {});
+
+ Optional<Boolean> allowEmailShift = underTest.getAllowEmailShift(request);
+
+ assertThat(allowEmailShift).isEmpty();
+ }
+
+ @Test
+ public void get_allowEmailShift_is_empty_when_no_value() {
+ when(request.getCookies()).thenReturn(new Cookie[] {new Cookie(AUTHENTICATION_COOKIE_NAME, "{}")});
+
+ Optional<Boolean> allowEmailShift = underTest.getAllowEmailShift(request);
+
+ assertThat(allowEmailShift).isEmpty();
+ }
+
+ @Test
+ public void delete() {
+ when(request.getCookies()).thenReturn(new Cookie[] {new Cookie(AUTHENTICATION_COOKIE_NAME, "{\"return_to\":\"/settings\"}")});
+
+ underTest.delete(request, response);
+
+ verify(response).addCookie(cookieArgumentCaptor.capture());
+ Cookie updatedCookie = cookieArgumentCaptor.getValue();
+ assertThat(updatedCookie.getName()).isEqualTo(AUTHENTICATION_COOKIE_NAME);
+ assertThat(updatedCookie.getValue()).isNull();
+ assertThat(updatedCookie.getPath()).isEqualTo("/");
+ assertThat(updatedCookie.getMaxAge()).isEqualTo(0);
+ }
+}
import org.sonar.api.server.authentication.UserIdentity;
import org.sonar.api.utils.log.LogTester;
import org.sonar.api.utils.log.LoggerLevel;
+import org.sonar.db.user.UserDto;
import org.sonar.server.authentication.event.AuthenticationEvent;
import org.sonar.server.authentication.event.AuthenticationException;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyZeroInteractions;
import static org.mockito.Mockito.when;
+import static org.sonar.db.user.UserTesting.newUserDto;
import static org.sonar.server.authentication.event.AuthenticationEvent.Source;
public class OAuth2CallbackFilterTest {
private FakeOAuth2IdentityProvider oAuth2IdentityProvider = new WellbehaveFakeOAuth2IdentityProvider(OAUTH2_PROVIDER_KEY, true, LOGIN);
private AuthenticationEvent authenticationEvent = mock(AuthenticationEvent.class);
- private OAuth2Redirection oAuthRedirection = mock(OAuth2Redirection.class);
+ private OAuth2AuthenticationParameters oAuthRedirection = mock(OAuth2AuthenticationParameters.class);
private ArgumentCaptor<AuthenticationException> authenticationExceptionCaptor = ArgumentCaptor.forClass(AuthenticationException.class);
}
@Test
- public void do_filter_with_context() throws Exception {
+ public void do_filter_with_context() {
when(server.getContextPath()).thenReturn("/sonarqube");
when(request.getRequestURI()).thenReturn("/sonarqube/oauth2/callback/" + OAUTH2_PROVIDER_KEY);
identityProviderRepository.addIdentityProvider(oAuth2IdentityProvider);
}
@Test
- public void do_filter_with_context_no_log_if_provider_did_not_call_authenticate_on_context() throws Exception {
+ public void do_filter_with_context_no_log_if_provider_did_not_call_authenticate_on_context() {
when(server.getContextPath()).thenReturn("/sonarqube");
when(request.getRequestURI()).thenReturn("/sonarqube/oauth2/callback/" + OAUTH2_PROVIDER_KEY);
FakeOAuth2IdentityProvider identityProvider = new FakeOAuth2IdentityProvider(OAUTH2_PROVIDER_KEY, true);
}
@Test
- public void do_filter_on_auth2_identity_provider() throws Exception {
+ public void do_filter_on_auth2_identity_provider() {
when(request.getRequestURI()).thenReturn("/oauth2/callback/" + OAUTH2_PROVIDER_KEY);
identityProviderRepository.addIdentityProvider(oAuth2IdentityProvider);
@Test
public void redirect_when_failing_because_of_UnauthorizedExceptionException() throws Exception {
FailWithUnauthorizedExceptionIdProvider identityProvider = new FailWithUnauthorizedExceptionIdProvider();
- identityProvider
- .setKey("failing")
- .setName("name of failing")
- .setEnabled(true);
when(request.getRequestURI()).thenReturn("/oauth2/callback/" + identityProvider.getKey());
identityProviderRepository.addIdentityProvider(identityProvider);
public void redirect_with_context_path_when_failing_because_of_UnauthorizedExceptionException() throws Exception {
when(server.getContextPath()).thenReturn("/sonarqube");
FailWithUnauthorizedExceptionIdProvider identityProvider = new FailWithUnauthorizedExceptionIdProvider();
- identityProvider
- .setKey("failing")
- .setName("name of failing")
- .setEnabled(true);
when(request.getRequestURI()).thenReturn("/sonarqube/oauth2/callback/" + identityProvider.getKey());
identityProviderRepository.addIdentityProvider(identityProvider);
@Test
public void redirect_when_failing_because_of_Exception() throws Exception {
FailWithIllegalStateException identityProvider = new FailWithIllegalStateException();
- identityProvider
- .setKey("failing")
- .setName("name of failing")
- .setEnabled(true);
when(request.getRequestURI()).thenReturn("/oauth2/callback/" + identityProvider.getKey());
identityProviderRepository.addIdentityProvider(identityProvider);
verify(oAuthRedirection).delete(eq(request), eq(response));
}
+ @Test
+ public void redirect_when_failing_because_of_EmailAlreadyExistException() throws Exception {
+ UserDto existingUser = newUserDto().setEmail("john@email.com").setExternalIdentity("john.bitbucket").setExternalIdentityProvider("bitbucket");
+ FailWithEmailAlreadyExistException identityProvider = new FailWithEmailAlreadyExistException(existingUser);
+ when(request.getRequestURI()).thenReturn("/oauth2/callback/" + identityProvider.getKey());
+ identityProviderRepository.addIdentityProvider(identityProvider);
+
+ underTest.doFilter(request, response, chain);
+
+ verify(response).sendRedirect("/sessions/email_already_exists?email=john%40email.com&login=john.github&provider=failing&existingLogin=john.bitbucket&existingProvider=bitbucket");
+ verify(oAuthRedirection).delete(eq(request), eq(response));
+ }
+
@Test
public void fail_when_no_oauth2_provider_provided() throws Exception {
when(request.getRequestURI()).thenReturn("/oauth2/callback");
assertThat(oAuth2IdentityProvider.isInitCalled()).isFalse();
}
- private static class FailWithUnauthorizedExceptionIdProvider extends TestIdentityProvider implements OAuth2IdentityProvider {
-
+ private static class FailWithUnauthorizedExceptionIdProvider extends FailingIdentityProvider {
@Override
- public void init(InitContext context) {
-
+ public void callback(CallbackContext context) {
+ throw new UnauthorizedException("Email john@email.com is already used");
}
+ }
+ private static class FailWithIllegalStateException extends FailingIdentityProvider {
@Override
public void callback(CallbackContext context) {
- throw new UnauthorizedException("Email john@email.com is already used");
+ throw new IllegalStateException("Failure !");
}
}
- private static class FailWithIllegalStateException extends TestIdentityProvider implements OAuth2IdentityProvider {
+ private static class FailWithEmailAlreadyExistException extends FailingIdentityProvider {
- @Override
- public void init(InitContext context) {
+ private final UserDto existingUser;
+ public FailWithEmailAlreadyExistException(UserDto existingUser) {
+ this.existingUser = existingUser;
}
@Override
public void callback(CallbackContext context) {
- throw new IllegalStateException("Failure !");
+ throw new EmailAlreadyExistsException(existingUser.getEmail(), existingUser, UserIdentity.builder()
+ .setProviderLogin("john.github")
+ .setLogin("john.github")
+ .setName(existingUser.getName())
+ .setEmail(existingUser.getEmail())
+ .build(), this);
+ }
+ }
+
+ private static abstract class FailingIdentityProvider extends TestIdentityProvider implements OAuth2IdentityProvider {
+ FailingIdentityProvider() {
+ this.setKey("failing");
+ this.setName("Failing");
+ this.setEnabled(true);
+ }
+
+ @Override
+ public void init(InitContext context) {
+ // Nothing to do
}
}
import org.sonar.api.server.authentication.OAuth2IdentityProvider;
import org.sonar.api.server.authentication.UserIdentity;
import org.sonar.api.utils.System2;
-import org.sonar.db.DbClient;
-import org.sonar.db.DbSession;
import org.sonar.db.DbTester;
import org.sonar.db.user.UserDto;
import org.sonar.server.user.TestUserSessionFactory;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
-import static org.sonar.db.user.UserTesting.newUserDto;
+import static org.sonar.server.authentication.UserIdentityAuthenticator.ExistingEmailStrategy.ALLOW;
+import static org.sonar.server.authentication.UserIdentityAuthenticator.ExistingEmailStrategy.WARN;
import static org.sonar.server.authentication.event.AuthenticationEvent.Source;
public class OAuth2ContextFactoryTest {
@Rule
public DbTester dbTester = DbTester.create(System2.INSTANCE);
- private DbClient dbClient = dbTester.getDbClient();
- private DbSession dbSession = dbTester.getSession();
private ThreadLocalUserSession threadLocalUserSession = mock(ThreadLocalUserSession.class);
private UserIdentityAuthenticator userIdentityAuthenticator = mock(UserIdentityAuthenticator.class);
private Server server = mock(Server.class);
private OAuthCsrfVerifier csrfVerifier = mock(OAuthCsrfVerifier.class);
private JwtHttpHandler jwtHttpHandler = mock(JwtHttpHandler.class);
private TestUserSessionFactory userSessionFactory = TestUserSessionFactory.standalone();
- private OAuth2Redirection oAuthRedirection = mock(OAuth2Redirection.class);
+ private OAuth2AuthenticationParameters oAuthParameters = mock(OAuth2AuthenticationParameters.class);
private HttpServletRequest request = mock(HttpServletRequest.class);
private HttpServletResponse response = mock(HttpServletResponse.class);
private HttpSession session = mock(HttpSession.class);
private OAuth2IdentityProvider identityProvider = mock(OAuth2IdentityProvider.class);
private OAuth2ContextFactory underTest = new OAuth2ContextFactory(threadLocalUserSession, userIdentityAuthenticator, server, csrfVerifier, jwtHttpHandler, userSessionFactory,
- oAuthRedirection);
+ oAuthParameters);
@Before
public void setUp() throws Exception {
- UserDto userDto = dbClient.userDao().insert(dbSession, newUserDto());
- dbSession.commit();
-
when(request.getSession()).thenReturn(session);
when(identityProvider.getKey()).thenReturn(PROVIDER_KEY);
when(identityProvider.getName()).thenReturn(PROVIDER_NAME);
- when(userIdentityAuthenticator.authenticate(USER_IDENTITY, identityProvider, Source.oauth2(identityProvider))).thenReturn(userDto);
}
@Test
@Test
public void authenticate() {
+ UserDto userDto = dbTester.users().insertUser();
+ when(userIdentityAuthenticator.authenticate(USER_IDENTITY, identityProvider, Source.oauth2(identityProvider), WARN)).thenReturn(userDto);
OAuth2IdentityProvider.CallbackContext callback = newCallbackContext();
callback.authenticate(USER_IDENTITY);
- verify(userIdentityAuthenticator).authenticate(USER_IDENTITY, identityProvider, Source.oauth2(identityProvider));
+ verify(userIdentityAuthenticator).authenticate(USER_IDENTITY, identityProvider, Source.oauth2(identityProvider), WARN);
verify(jwtHttpHandler).generateToken(any(UserDto.class), eq(request), eq(response));
verify(threadLocalUserSession).set(any(UserSession.class));
}
+ @Test
+ public void authenticate_with_allow_email_shift() {
+ when(oAuthParameters.getAllowEmailShift(request)).thenReturn(Optional.of(true));
+ UserDto userDto = dbTester.users().insertUser();
+ when(userIdentityAuthenticator.authenticate(USER_IDENTITY, identityProvider, Source.oauth2(identityProvider), ALLOW)).thenReturn(userDto);
+ OAuth2IdentityProvider.CallbackContext callback = newCallbackContext();
+
+ callback.authenticate(USER_IDENTITY);
+
+ verify(userIdentityAuthenticator).authenticate(USER_IDENTITY, identityProvider, Source.oauth2(identityProvider), ALLOW);
+ }
+
@Test
public void redirect_to_home() throws Exception {
when(server.getContextPath()).thenReturn("");
- when(oAuthRedirection.getAndDelete(request, response)).thenReturn(Optional.empty());
+ when(oAuthParameters.getReturnTo(request)).thenReturn(Optional.empty());
OAuth2IdentityProvider.CallbackContext callback = newCallbackContext();
callback.redirectToRequestedPage();
@Test
public void redirect_to_home_with_context() throws Exception {
when(server.getContextPath()).thenReturn("/sonarqube");
- when(oAuthRedirection.getAndDelete(request, response)).thenReturn(Optional.empty());
+ when(oAuthParameters.getReturnTo(request)).thenReturn(Optional.empty());
OAuth2IdentityProvider.CallbackContext callback = newCallbackContext();
callback.redirectToRequestedPage();
@Test
public void redirect_to_requested_page() throws Exception {
- when(oAuthRedirection.getAndDelete(request, response)).thenReturn(Optional.of("/settings"));
+ when(oAuthParameters.getReturnTo(request)).thenReturn(Optional.of("/settings"));
when(server.getContextPath()).thenReturn("");
OAuth2IdentityProvider.CallbackContext callback = newCallbackContext();
}
@Test
- public void redirect_to_requested_page_doesnt_need_context() throws Exception {
- when(oAuthRedirection.getAndDelete(request, response)).thenReturn(Optional.of("/sonarqube/settings"));
+ public void redirect_to_requested_page_does_not_need_context() throws Exception {
+ when(oAuthParameters.getReturnTo(request)).thenReturn(Optional.of("/sonarqube/settings"));
when(server.getContextPath()).thenReturn("/other");
OAuth2IdentityProvider.CallbackContext callback = newCallbackContext();
verify(csrfVerifier).verifyState(request, response, identityProvider);
}
+ @Test
+ public void delete_oauth2_parameters_during_redirection() {
+ when(oAuthParameters.getReturnTo(request)).thenReturn(Optional.of("/settings"));
+ when(server.getContextPath()).thenReturn("");
+ OAuth2IdentityProvider.CallbackContext callback = newCallbackContext();
+
+ callback.redirectToRequestedPage();
+
+ verify(oAuthParameters).delete(eq(request), eq(response));
+ }
+
private OAuth2IdentityProvider.InitContext newInitContext() {
return underTest.newContext(request, response, identityProvider);
}
+++ /dev/null
-/*
- * SonarQube
- * Copyright (C) 2009-2018 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- */
-package org.sonar.server.authentication;
-
-import java.util.Optional;
-import javax.servlet.http.Cookie;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import org.junit.Before;
-import org.junit.Test;
-import org.mockito.ArgumentCaptor;
-import org.sonar.api.platform.Server;
-
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.mockito.Matchers.any;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.never;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
-
-public class OAuth2RedirectionTest {
-
- private ArgumentCaptor<Cookie> cookieArgumentCaptor = ArgumentCaptor.forClass(Cookie.class);
-
- private Server server = mock(Server.class);
- private HttpServletResponse response = mock(HttpServletResponse.class);
- private HttpServletRequest request = mock(HttpServletRequest.class);
-
- private OAuth2Redirection underTest = new OAuth2Redirection();
-
- @Before
- public void setUp() throws Exception {
- when(server.getContextPath()).thenReturn("");
- }
-
- @Test
- public void create_cookie() {
- when(request.getParameter("return_to")).thenReturn("/settings");
-
- underTest.create(request, response);
-
- verify(response).addCookie(cookieArgumentCaptor.capture());
- Cookie cookie = cookieArgumentCaptor.getValue();
- assertThat(cookie.getName()).isEqualTo("REDIRECT_TO");
- assertThat(cookie.getValue()).isEqualTo("/settings");
- assertThat(cookie.getPath()).isEqualTo("/");
- assertThat(cookie.isHttpOnly()).isTrue();
- assertThat(cookie.getMaxAge()).isEqualTo(-1);
- assertThat(cookie.getSecure()).isFalse();
- }
-
- @Test
- public void does_not_create_cookie_when_return_to_parameter_is_empty() {
- when(request.getParameter("return_to")).thenReturn("");
-
- underTest.create(request, response);
-
- verify(response, never()).addCookie(any());
- }
-
- @Test
- public void does_not_create_cookie_when_return_to_parameter_is_null() {
- when(request.getParameter("return_to")).thenReturn(null);
-
- underTest.create(request, response);
-
- verify(response, never()).addCookie(any());
- }
-
- @Test
- public void get_and_delete() {
- when(request.getCookies()).thenReturn(new Cookie[]{new Cookie("REDIRECT_TO", "/settings")});
-
- Optional<String> redirection = underTest.getAndDelete(request, response);
-
- assertThat(redirection).isEqualTo(Optional.of("/settings"));
- verify(response).addCookie(cookieArgumentCaptor.capture());
- Cookie updatedCookie = cookieArgumentCaptor.getValue();
- assertThat(updatedCookie.getName()).isEqualTo("REDIRECT_TO");
- assertThat(updatedCookie.getValue()).isNull();
- assertThat(updatedCookie.getPath()).isEqualTo("/");
- assertThat(updatedCookie.getMaxAge()).isEqualTo(0);
- }
-
- @Test
- public void get_and_delete_returns_nothing_when_no_cookie() {
- when(request.getCookies()).thenReturn(new Cookie[]{});
-
- Optional<String> redirection = underTest.getAndDelete(request, response);
-
- assertThat(redirection).isEmpty();
- }
-
- @Test
- public void get_and_delete_returns_nothing_redirect_value_is_null() {
- when(request.getCookies()).thenReturn(new Cookie[]{new Cookie("REDIRECT_TO", null)});
-
- Optional<String> redirection = underTest.getAndDelete(request, response);
-
- assertThat(redirection).isEmpty();
- }
-
- @Test
- public void delete() {
- when(request.getCookies()).thenReturn(new Cookie[]{new Cookie("REDIRECT_TO", "/settings")});
-
- underTest.delete(request, response);
-
- verify(response).addCookie(cookieArgumentCaptor.capture());
- Cookie updatedCookie = cookieArgumentCaptor.getValue();
- assertThat(updatedCookie.getName()).isEqualTo("REDIRECT_TO");
- assertThat(updatedCookie.getValue()).isNull();
- assertThat(updatedCookie.getPath()).isEqualTo("/");
- assertThat(updatedCookie.getMaxAge()).isEqualTo(0);
- }
-
-}
import static java.util.Arrays.asList;
import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.rules.ExpectedException.none;
+import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Matchers.any;
import static org.mockito.Mockito.doThrow;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verifyZeroInteractions;
import static org.mockito.Mockito.when;
import static org.sonar.db.user.UserTesting.newUserDto;
+import static org.sonar.server.authentication.UserIdentityAuthenticator.ExistingEmailStrategy.FORBID;
import static org.sonar.server.authentication.event.AuthenticationEvent.Method.BASIC;
import static org.sonar.server.authentication.event.AuthenticationEvent.Method.BASIC_TOKEN;
import static org.sonar.server.authentication.event.AuthenticationExceptionMatcher.authenticationException;
userDetails.setName("name");
userDetails.setEmail("email");
when(externalUsersProvider.doGetUserDetails(any(ExternalUsersProvider.Context.class))).thenReturn(userDetails);
- when(userIdentityAuthenticator.authenticate(any(UserIdentity.class), any(IdentityProvider.class), any(Source.class))).thenReturn(USER);
+ when(userIdentityAuthenticator.authenticate(any(UserIdentity.class), any(IdentityProvider.class), any(Source.class), eq(FORBID))).thenReturn(USER);
underTest.authenticate(LOGIN, PASSWORD, request, BASIC);
- verify(userIdentityAuthenticator).authenticate(userIdentityArgumentCaptor.capture(), identityProviderArgumentCaptor.capture(), sourceCaptor.capture());
+ verify(userIdentityAuthenticator).authenticate(userIdentityArgumentCaptor.capture(), identityProviderArgumentCaptor.capture(), sourceCaptor.capture(), eq(FORBID));
UserIdentity userIdentity = userIdentityArgumentCaptor.getValue();
assertThat(userIdentity.getLogin()).isEqualTo(LOGIN);
assertThat(userIdentity.getProviderLogin()).isEqualTo(LOGIN);
userDetails.setName("name");
userDetails.setEmail("email");
when(externalUsersProvider.doGetUserDetails(any(ExternalUsersProvider.Context.class))).thenReturn(userDetails);
- when(userIdentityAuthenticator.authenticate(any(UserIdentity.class), any(IdentityProvider.class), any(Source.class))).thenReturn(USER);
+ when(userIdentityAuthenticator.authenticate(any(UserIdentity.class), any(IdentityProvider.class), any(Source.class), eq(FORBID))).thenReturn(USER);
underTest.authenticate(LOGIN, PASSWORD, request, BASIC);
- verify(userIdentityAuthenticator).authenticate(userIdentityArgumentCaptor.capture(), identityProviderArgumentCaptor.capture(), sourceCaptor.capture());
+ verify(userIdentityAuthenticator).authenticate(userIdentityArgumentCaptor.capture(), identityProviderArgumentCaptor.capture(), sourceCaptor.capture(), eq(FORBID));
assertThat(identityProviderArgumentCaptor.getValue().getKey()).isEqualTo("sonarqube");
assertThat(identityProviderArgumentCaptor.getValue().getName()).isEqualTo("sonarqube");
UserDetails userDetails = new UserDetails();
userDetails.setEmail("email");
when(externalUsersProvider.doGetUserDetails(any(ExternalUsersProvider.Context.class))).thenReturn(userDetails);
- when(userIdentityAuthenticator.authenticate(any(UserIdentity.class), any(IdentityProvider.class), any(Source.class))).thenReturn(USER);
+ when(userIdentityAuthenticator.authenticate(any(UserIdentity.class), any(IdentityProvider.class), any(Source.class), eq(FORBID))).thenReturn(USER);
underTest.authenticate(LOGIN, PASSWORD, request, BASIC);
- verify(userIdentityAuthenticator).authenticate(userIdentityArgumentCaptor.capture(), identityProviderArgumentCaptor.capture(), sourceCaptor.capture());
+ verify(userIdentityAuthenticator).authenticate(userIdentityArgumentCaptor.capture(), identityProviderArgumentCaptor.capture(), sourceCaptor.capture(), eq(FORBID));
assertThat(identityProviderArgumentCaptor.getValue().getName()).isEqualTo("sonarqube");
verify(authenticationEvent).loginSuccess(request, LOGIN, Source.realm(BASIC, REALM_NAME));
}
@Test
public void authenticate_with_group_sync() {
when(externalGroupsProvider.doGetGroups(any(ExternalGroupsProvider.Context.class))).thenReturn(asList("group1", "group2"));
- when(userIdentityAuthenticator.authenticate(any(UserIdentity.class), any(IdentityProvider.class), any(Source.class))).thenReturn(USER);
+ when(userIdentityAuthenticator.authenticate(any(UserIdentity.class), any(IdentityProvider.class), any(Source.class), eq(FORBID))).thenReturn(USER);
executeStartWithGroupSync();
executeAuthenticate();
- verify(userIdentityAuthenticator).authenticate(userIdentityArgumentCaptor.capture(), identityProviderArgumentCaptor.capture(), sourceCaptor.capture());
+ verify(userIdentityAuthenticator).authenticate(userIdentityArgumentCaptor.capture(), identityProviderArgumentCaptor.capture(), sourceCaptor.capture(), eq(FORBID));
UserIdentity userIdentity = userIdentityArgumentCaptor.getValue();
assertThat(userIdentity.shouldSyncGroups()).isTrue();
UserDetails userDetails = new UserDetails();
userDetails.setName(null);
when(externalUsersProvider.doGetUserDetails(any(ExternalUsersProvider.Context.class))).thenReturn(userDetails);
- when(userIdentityAuthenticator.authenticate(any(UserIdentity.class), any(IdentityProvider.class), any(Source.class))).thenReturn(USER);
+ when(userIdentityAuthenticator.authenticate(any(UserIdentity.class), any(IdentityProvider.class), any(Source.class), eq(FORBID))).thenReturn(USER);
underTest.authenticate(LOGIN, PASSWORD, request, BASIC);
- verify(userIdentityAuthenticator).authenticate(userIdentityArgumentCaptor.capture(), identityProviderArgumentCaptor.capture(), sourceCaptor.capture());
+ verify(userIdentityAuthenticator).authenticate(userIdentityArgumentCaptor.capture(), identityProviderArgumentCaptor.capture(), sourceCaptor.capture(), eq(FORBID));
assertThat(userIdentityArgumentCaptor.getValue().getName()).isEqualTo(LOGIN);
verify(authenticationEvent).loginSuccess(request, LOGIN, Source.realm(BASIC, REALM_NAME));
}
@Test
public void use_downcase_login() {
settings.setProperty("sonar.authenticator.downcase", true);
- when(userIdentityAuthenticator.authenticate(any(UserIdentity.class), any(IdentityProvider.class), any(Source.class))).thenReturn(USER);
+ when(userIdentityAuthenticator.authenticate(any(UserIdentity.class), any(IdentityProvider.class), any(Source.class), eq(FORBID))).thenReturn(USER);
executeStartWithoutGroupSync();
executeAuthenticate("LOGIN");
- verify(userIdentityAuthenticator).authenticate(userIdentityArgumentCaptor.capture(), identityProviderArgumentCaptor.capture(), sourceCaptor.capture());
+ verify(userIdentityAuthenticator).authenticate(userIdentityArgumentCaptor.capture(), identityProviderArgumentCaptor.capture(), sourceCaptor.capture(), eq(FORBID));
UserIdentity userIdentity = userIdentityArgumentCaptor.getValue();
assertThat(userIdentity.getLogin()).isEqualTo("login");
assertThat(userIdentity.getProviderLogin()).isEqualTo("login");
@Test
public void does_not_user_downcase_login() {
settings.setProperty("sonar.authenticator.downcase", false);
- when(userIdentityAuthenticator.authenticate(any(UserIdentity.class), any(IdentityProvider.class), any(Source.class))).thenReturn(USER);
+ when(userIdentityAuthenticator.authenticate(any(UserIdentity.class), any(IdentityProvider.class), any(Source.class), eq(FORBID))).thenReturn(USER);
executeStartWithoutGroupSync();
executeAuthenticate("LoGiN");
- verify(userIdentityAuthenticator).authenticate(userIdentityArgumentCaptor.capture(), identityProviderArgumentCaptor.capture(), sourceCaptor.capture());
+ verify(userIdentityAuthenticator).authenticate(userIdentityArgumentCaptor.capture(), identityProviderArgumentCaptor.capture(), sourceCaptor.capture(), eq(FORBID));
UserIdentity userIdentity = userIdentityArgumentCaptor.getValue();
assertThat(userIdentity.getLogin()).isEqualTo("LoGiN");
assertThat(userIdentity.getProviderLogin()).isEqualTo("LoGiN");
import org.junit.rules.ExpectedException;
import org.sonar.api.config.internal.MapSettings;
import org.sonar.api.server.authentication.UserIdentity;
-import org.sonar.api.utils.System2;
import org.sonar.api.utils.internal.AlwaysIncreasingSystem2;
import org.sonar.core.util.stream.MoreCollectors;
import org.sonar.db.DbTester;
import static org.mockito.Mockito.mock;
import static org.sonar.core.config.CorePropertyDefinitions.ONBOARDING_TUTORIAL_SHOW_TO_NEW_USERS;
import static org.sonar.db.user.UserTesting.newUserDto;
+import static org.sonar.server.authentication.UserIdentityAuthenticator.ExistingEmailStrategy.ALLOW;
+import static org.sonar.server.authentication.UserIdentityAuthenticator.ExistingEmailStrategy.FORBID;
+import static org.sonar.server.authentication.UserIdentityAuthenticator.ExistingEmailStrategy.WARN;
import static org.sonar.server.authentication.event.AuthenticationExceptionMatcher.authenticationException;
public class UserIdentityAuthenticatorTest {
private MapSettings settings = new MapSettings();
@Rule
- public ExpectedException thrown = ExpectedException.none();
+ public ExpectedException expectedException = ExpectedException.none();
@Rule
public DbTester db = DbTester.create(new AlwaysIncreasingSystem2());
@Rule
@Test
public void authenticate_new_user() {
organizationFlags.setEnabled(true);
- underTest.authenticate(USER_IDENTITY, IDENTITY_PROVIDER, Source.realm(Method.BASIC, IDENTITY_PROVIDER.getName()));
+
+ underTest.authenticate(USER_IDENTITY, IDENTITY_PROVIDER, Source.realm(Method.BASIC, IDENTITY_PROVIDER.getName()), FORBID);
UserDto user = db.users().selectUserByLogin(USER_LOGIN).get();
assertThat(user).isNotNull();
assertThat(user.getExternalIdentity()).isEqualTo("johndoo");
assertThat(user.getExternalIdentityProvider()).isEqualTo("github");
assertThat(user.isRoot()).isFalse();
-
checkGroupMembership(user);
}
organizationFlags.setEnabled(true);
settings.setProperty(ONBOARDING_TUTORIAL_SHOW_TO_NEW_USERS, true);
- underTest.authenticate(USER_IDENTITY, IDENTITY_PROVIDER, Source.realm(Method.BASIC, IDENTITY_PROVIDER.getName()));
+ underTest.authenticate(USER_IDENTITY, IDENTITY_PROVIDER, Source.realm(Method.BASIC, IDENTITY_PROVIDER.getName()), FORBID);
assertThat(db.users().selectUserByLogin(USER_LOGIN).get().isOnboarded()).isFalse();
}
organizationFlags.setEnabled(true);
settings.setProperty(ONBOARDING_TUTORIAL_SHOW_TO_NEW_USERS, false);
- underTest.authenticate(USER_IDENTITY, IDENTITY_PROVIDER, Source.realm(Method.BASIC, IDENTITY_PROVIDER.getName()));
+ underTest.authenticate(USER_IDENTITY, IDENTITY_PROVIDER, Source.realm(Method.BASIC, IDENTITY_PROVIDER.getName()), FORBID);
assertThat(db.users().selectUserByLogin(USER_LOGIN).get().isOnboarded()).isTrue();
}
@Test
- public void authenticate_existing_user() {
+ public void authenticate_new_user_update_existing_user_email_when_strategy_is_ALLOW() {
+ organizationFlags.setEnabled(true);
+ UserDto existingUser = db.users().insertUser(u -> u.setEmail("john@email.com"));
+ UserIdentity newUser = UserIdentity.builder()
+ .setProviderLogin("johndoo")
+ .setLogin("new_login")
+ .setName(existingUser.getName())
+ .setEmail(existingUser.getEmail())
+ .build();
+
+ underTest.authenticate(newUser, IDENTITY_PROVIDER, Source.local(Method.BASIC), ALLOW);
+
+ UserDto newUserReloaded = db.users().selectUserByLogin(newUser.getLogin()).get();
+ assertThat(newUserReloaded.getEmail()).isEqualTo(existingUser.getEmail());
+ UserDto existingUserReloaded = db.users().selectUserByLogin(existingUser.getLogin()).get();
+ assertThat(existingUserReloaded.getEmail()).isNull();
+ }
+
+ @Test
+ public void throw_EmailAlreadyExistException_when_authenticating_new_user_when_email_already_exists_and_strategy_is_WARN() {
+ organizationFlags.setEnabled(true);
+ UserDto existingUser = db.users().insertUser(u -> u.setEmail("john@email.com"));
+ UserIdentity newUser = UserIdentity.builder()
+ .setProviderLogin("johndoo")
+ .setLogin("new_login")
+ .setName(existingUser.getName())
+ .setEmail(existingUser.getEmail())
+ .build();
+
+ expectedException.expect(EmailAlreadyExistsException.class);
+
+ underTest.authenticate(newUser, IDENTITY_PROVIDER, Source.local(Method.BASIC), WARN);
+ }
+
+ @Test
+ public void throw_AuthenticationException_when_authenticating_new_user_when_email_already_exists_and_strategy_is_FORBID() {
db.users().insertUser(newUserDto()
- .setLogin(USER_LOGIN)
+ .setLogin("Existing user with same email")
.setActive(true)
+ .setEmail("john@email.com"));
+ Source source = Source.realm(Method.FORM, IDENTITY_PROVIDER.getName());
+
+ expectedException.expect(authenticationException().from(source)
+ .withLogin(USER_IDENTITY.getLogin())
+ .andPublicMessage("You can't sign up because email 'john@email.com' is already used by an existing user. " +
+ "This means that you probably already registered with another account."));
+ expectedException.expectMessage("Email 'john@email.com' is already used");
+
+ underTest.authenticate(USER_IDENTITY, IDENTITY_PROVIDER, source, FORBID);
+ }
+
+ @Test
+ public void fail_to_authenticate_new_user_when_allow_users_to_signup_is_false() {
+ TestIdentityProvider identityProvider = new TestIdentityProvider()
+ .setKey("github")
+ .setName("Github")
+ .setEnabled(true)
+ .setAllowsUsersToSignUp(false);
+ Source source = Source.realm(Method.FORM, identityProvider.getName());
+
+ expectedException.expect(authenticationException().from(source).withLogin(USER_IDENTITY.getLogin()).andPublicMessage("'github' users are not allowed to sign up"));
+ expectedException.expectMessage("User signup disabled for provider 'github'");
+ underTest.authenticate(USER_IDENTITY, identityProvider, source, FORBID);
+ }
+
+ @Test
+ public void authenticate_existing_user() {
+ db.users().insertUser(u -> u
+ .setLogin(USER_LOGIN)
.setName("Old name")
.setEmail("Old email")
.setExternalIdentity("old identity")
.setExternalIdentityProvider("old provide"));
- underTest.authenticate(USER_IDENTITY, IDENTITY_PROVIDER, Source.local(Method.BASIC));
+ underTest.authenticate(USER_IDENTITY, IDENTITY_PROVIDER, Source.local(Method.BASIC), FORBID);
UserDto userDto = db.users().selectUserByLogin(USER_LOGIN).get();
assertThat(userDto.isActive()).isTrue();
@Test
public void authenticate_existing_disabled_user() {
organizationFlags.setEnabled(true);
- db.users().insertUser(newUserDto()
+ db.users().insertUser(u -> u
.setLogin(USER_LOGIN)
.setActive(false)
.setName("Old name")
.setExternalIdentity("old identity")
.setExternalIdentityProvider("old provide"));
- underTest.authenticate(USER_IDENTITY, IDENTITY_PROVIDER, Source.local(Method.BASIC_TOKEN));
+ underTest.authenticate(USER_IDENTITY, IDENTITY_PROVIDER, Source.local(Method.BASIC_TOKEN), FORBID);
UserDto userDto = db.users().selectUserByLogin(USER_LOGIN).get();
assertThat(userDto.isActive()).isTrue();
assertThat(userDto.isRoot()).isFalse();
}
+ @Test
+ public void authenticate_existing_user_when_email_already_exists_and_strategy_is_ALLOW() {
+ organizationFlags.setEnabled(true);
+ UserDto existingUser = db.users().insertUser(u -> u.setEmail("john@email.com"));
+ UserDto currentUser = db.users().insertUser(u -> u.setEmail(null));
+ UserIdentity userIdentity = UserIdentity.builder()
+ .setLogin(currentUser.getLogin())
+ .setProviderLogin("johndoo")
+ .setName("John")
+ .setEmail("john@email.com")
+ .build();
+
+ underTest.authenticate(userIdentity, IDENTITY_PROVIDER, Source.local(Method.BASIC), ALLOW);
+
+ UserDto currentUserReloaded = db.users().selectUserByLogin(currentUser.getLogin()).get();
+ assertThat(currentUserReloaded.getEmail()).isEqualTo("john@email.com");
+ UserDto existingUserReloaded = db.users().selectUserByLogin(existingUser.getLogin()).get();
+ assertThat(existingUserReloaded.getEmail()).isNull();
+ }
+
+ @Test
+ public void throw_EmailAlreadyExistException_when_authenticating_existing_user_when_email_already_exists_and_strategy_is_WARN() {
+ organizationFlags.setEnabled(true);
+ UserDto existingUser = db.users().insertUser(u -> u.setEmail("john@email.com"));
+ UserDto currentUser = db.users().insertUser(u -> u.setEmail(null));
+ UserIdentity userIdentity = UserIdentity.builder()
+ .setLogin(currentUser.getLogin())
+ .setProviderLogin("johndoo")
+ .setName("John")
+ .setEmail("john@email.com")
+ .build();
+
+ expectedException.expect(EmailAlreadyExistsException.class);
+
+ underTest.authenticate(userIdentity, IDENTITY_PROVIDER, Source.local(Method.BASIC), WARN);
+ }
+
+ @Test
+ public void throw_AuthenticationException_when_authenticating_existing_user_when_email_already_exists_and_strategy_is_FORBID() {
+ organizationFlags.setEnabled(true);
+ UserDto existingUser = db.users().insertUser(u -> u.setEmail("john@email.com"));
+ UserDto currentUser = db.users().insertUser(u -> u.setEmail(null));
+ UserIdentity userIdentity = UserIdentity.builder()
+ .setLogin(currentUser.getLogin())
+ .setProviderLogin("johndoo")
+ .setName("John")
+ .setEmail("john@email.com")
+ .build();
+
+ expectedException.expect(authenticationException().from(Source.realm(Method.FORM, IDENTITY_PROVIDER.getName()))
+ .withLogin(userIdentity.getLogin())
+ .andPublicMessage("You can't sign up because email 'john@email.com' is already used by an existing user. " +
+ "This means that you probably already registered with another account."));
+ expectedException.expectMessage("Email 'john@email.com' is already used");
+
+ underTest.authenticate(userIdentity, IDENTITY_PROVIDER, Source.realm(Method.FORM, IDENTITY_PROVIDER.getName()), FORBID);
+ }
+
+ @Test
+ public void does_not_fail_to_authenticate_user_when_email_has_not_changed_and_strategy_is_FORBID() {
+ organizationFlags.setEnabled(true);
+ UserDto currentUser = db.users().insertUser(u -> u.setEmail("john@email.com"));
+ UserIdentity userIdentity = UserIdentity.builder()
+ .setLogin(currentUser.getLogin())
+ .setProviderLogin("johndoo")
+ .setName("John")
+ .setEmail("john@email.com")
+ .build();
+
+ underTest.authenticate(userIdentity, IDENTITY_PROVIDER, Source.local(Method.BASIC), FORBID);
+
+ UserDto currentUserReloaded = db.users().selectUserByLogin(currentUser.getLogin()).get();
+ assertThat(currentUserReloaded.getEmail()).isEqualTo("john@email.com");
+ }
+
@Test
public void authenticate_existing_user_and_add_new_groups() {
organizationFlags.setEnabled(true);
.setLogin(user.getLogin())
.setName(user.getName())
.setGroups(newHashSet(groupName))
- .build(), IDENTITY_PROVIDER, Source.sso());
+ .build(), IDENTITY_PROVIDER, Source.sso(), FORBID);
checkGroupMembership(user, groupInDefaultOrg);
}
- @Test
- public void fail_to_authenticate_new_user_when_allow_users_to_signup_is_false() {
- TestIdentityProvider identityProvider = new TestIdentityProvider()
- .setKey("github")
- .setName("Github")
- .setEnabled(true)
- .setAllowsUsersToSignUp(false);
- Source source = Source.realm(Method.FORM, identityProvider.getName());
-
- thrown.expect(authenticationException().from(source).withLogin(USER_IDENTITY.getLogin()).andPublicMessage("'github' users are not allowed to sign up"));
- thrown.expectMessage("User signup disabled for provider 'github'");
- underTest.authenticate(USER_IDENTITY, identityProvider, source);
- }
-
- @Test
- public void fail_to_authenticate_new_user_when_email_already_exists() {
- db.users().insertUser(newUserDto()
- .setLogin("Existing user with same email")
- .setActive(true)
- .setEmail("john@email.com"));
- Source source = Source.realm(Method.FORM, IDENTITY_PROVIDER.getName());
-
- thrown.expect(authenticationException().from(source)
- .withLogin(USER_IDENTITY.getLogin())
- .andPublicMessage("You can't sign up because email 'john@email.com' is already used by an existing user. " +
- "This means that you probably already registered with another account."));
- thrown.expectMessage("Email 'john@email.com' is already used");
- underTest.authenticate(USER_IDENTITY, IDENTITY_PROVIDER, source);
- }
-
private void authenticate(String login, String... groups) {
underTest.authenticate(UserIdentity.builder()
.setProviderLogin("johndoo")
.setName("John")
// No group
.setGroups(stream(groups).collect(MoreCollectors.toSet()))
- .build(), IDENTITY_PROVIDER, Source.sso());
+ .build(), IDENTITY_PROVIDER, Source.sso(), FORBID);
}
private void checkGroupMembership(UserDto user, GroupDto... expectedGroups) {
assertThat(dbClient.userDao().selectByLogin(session, "user").isOnboarded()).isFalse();
}
+ @Test
+ public void create_user_and_index_other_user() {
+ createDefaultGroup();
+ UserDto otherUser = db.users().insertUser();
+
+ UserDto created = underTest.createAndCommit(db.getSession(), NewUser.builder()
+ .setLogin("user")
+ .setName("User")
+ .setEmail("user@mail.com")
+ .setPassword("PASSWORD")
+ .build(), u -> {
+ }, otherUser);
+
+ assertThat(es.getIds(UserIndexDefinition.INDEX_TYPE_USER)).containsExactlyInAnyOrder(created.getLogin(), otherUser.getLogin());
+ }
+
@Test
public void fail_to_create_user_with_missing_login() {
expectedException.expect(BadRequestException.class);
.setEmail("marius2@mail.com")
.setPassword("password2")
.build(), u -> {
- });
+ });
session.commit();
assertThat(dto.isActive()).isTrue();
.setName("Marius2")
.setEmail("marius2@mail.com")
.build(), u -> {
- });
+ });
session.commit();
assertThat(dto.isActive()).isTrue();
.setName("Marius2")
.setExternalIdentity(new ExternalIdentity("github", "john"))
.build(), u -> {
- });
+ });
session.commit();
UserDto dto = dbClient.userDao().selectByLogin(session, DEFAULT_LOGIN);
.setName("Marius2")
.setPassword("password")
.build(), u -> {
- });
+ });
session.commit();
UserDto dto = dbClient.userDao().selectByLogin(session, DEFAULT_LOGIN);
.setEmail("marius2@mail.com")
.setPassword("password2")
.build(), u -> {
- });
+ });
}
@Test
.setEmail("marius2@mail.com")
.setPassword("password2")
.build(), u -> {
- });
+ });
session.commit();
Multimap<String, String> groups = dbClient.groupMembershipDao().selectGroupsByLogins(session, asList(DEFAULT_LOGIN));
.setEmail("marius2@mail.com")
.setPassword("password2")
.build(), u -> {
- });
+ });
session.commit();
Multimap<String, String> groups = dbClient.groupMembershipDao().selectGroupsByLogins(session, asList(DEFAULT_LOGIN));
.setLogin(user.getLogin())
.setName("name")
.build(), u -> {
- });
+ });
assertThat(dbClient.userDao().selectByLogin(session, user.getLogin()).isOnboarded()).isTrue();
}
.setLogin(user.getLogin())
.setName("name")
.build(), u -> {
- });
+ });
assertThat(dbClient.userDao().selectByLogin(session, user.getLogin()).isOnboarded()).isFalse();
}
assertThat(dbClient.userDao().selectByLogin(session, DEFAULT_LOGIN).getUpdatedAt()).isEqualTo(user.getUpdatedAt());
}
+ @Test
+ public void update_user_and_index_other_user() {
+ createDefaultGroup();
+ UserDto user = db.users().insertUser(newLocalUser(DEFAULT_LOGIN, "Marius", "marius@email.com")
+ .setScmAccounts(asList("ma", "marius33")));
+ UserDto otherUser = db.users().insertUser();
+
+ underTest.updateAndCommit(session, UpdateUser.create(DEFAULT_LOGIN)
+ .setName("Marius2")
+ .setEmail("marius2@mail.com")
+ .setPassword("password2")
+ .setScmAccounts(asList("ma2")), u -> {
+ }, otherUser);
+
+ assertThat(es.getIds(UserIndexDefinition.INDEX_TYPE_USER)).containsExactlyInAnyOrder(user.getLogin(), otherUser.getLogin());
+ }
+
@Test
public void fail_to_set_null_password_when_local_user() {
db.users().insertUser(newLocalUser(DEFAULT_LOGIN, "Marius", "marius@email.com"));
// reduce memory for Elasticsearch to 128M
.setServerProperty("sonar.search.javaOpts", "-Xms128m -Xmx128m")
+ .setServerProperty("sonar.web.javaAdditionalOpts", "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8001")
+
.build();
}
projects / sonarqube.git / commitdiff